The German Data Protection Authorities have so far been reluctant to impose large fines, although Art. 83 of the GDPR provides for fines of up to 20 million euros or up to four percent of the previous year’s turnover of a company – depending on which amount is higher.
In Germany, however, these sums have so far been of a more theoretical nature: unlike in France or Great Britain, the German data protection authorities have refrained from imposing particularly high fines.
That is about to change: The Data Protection Conference (Datenschutzkonferenz; DSK), the coordinating body of the German Data Protection Authorities, has now published its concept for calculating fines for violations of the GDPR. „In a modern corporate sanction law“, the presented concept guarantees „a comprehensible, transparent and case-by-case form of the imposition of fines“. The concept was developed by the DSK Working Group for Sanctions and was presented by the Berlin Data Protection Authority in June.
Unitary model for fines
The concept includes the imposition of fines in proceedings against companies for violations against the GDPR in Germany.
A binding effect for cross-border cases or other EU data protection authorities is (for the time being) not envisaged. In particular, the concept does not apply to fines imposed on associations or natural persons outside their business activities.
The calculation of the fine should be based exclusively on the turnover of the company. On this basis a so-called „daily rate“ is determined. Depending on the severity of the infringement and the nature of the offence, this daily rate is then to be multiplied by a factor X and possibly further adjusted in accordance with Art. 83 (2) GDPR.
This is intended to establish a Germany-wide standard for dealing with data protection infringements. Companies should be able to understand the criteria according to which they are sanctioned. There are also plans throughout Europe to harmonise the practice of imposing fines, which is also intended by Art. 70 (1) lit. k GDPR.
The DSK explained that the concept was also presented to the working group in the European Data Protection Committee (EDSA), where various models on ensuring a uniform European practice for imposing fines by the data protection authorities are currently being discussed.
Until then, the concept prepared by the DSK will be applied in Germany.
Complex Calculation Task
The imposition of fines should be done in five steps:
First, the company concerned is assigned to one of four size classes. The size classes are based on the total worldwide turnover of the previous year, which the companies concerned must report in a prior hearing. If they do not provide any information, the authorities can also estimate the turnover:
- Micro-enterprises: Annual turnover up to 2 million EUR
- Small businesses: Annual turnover over 2 to 10 million Euro
- Medium-sized companies: Annual turnover over 10 to 50 million Euro
- Large companies: Annual turnover over 50 million Euro
Within the four classes, the micro and small enterprises are subdivided into three subgroups and the medium-sized and large enterprises into seven subgroups.
In the second step, the average annual turnover of the respective group of companies is to be determined, which is based on the classification of the company into the aforementioned sub-groups.
For large companies in the fourth group with an annual turnover of more than 500 million euros, the maximum fine is 2 or 4 percent of the annual turnover. Here the average annual turnover is calculated concretely.
In the third step, an economic basic value is determined by dividing the average annual turnover by 360 (days). The result is the daily rate which is rounded up to the pre-decimal place.
With the exception of large companies whose annual turnover exceeds 500 million euro, the daily rate is therefore not determined concretely but as a lump sum on the basis of the previously determined classification of the company.
This calculated daily rate is then multiplied by a factor depending on the seriousness of the infringement. The severity of the offence is again divided into four categories – light, medium, heavy or very heavy. With regard to the different penalty frameworks, different factors are provided for formal (Art. 83 (4) GDPR) and substantive (Art. 83 (5), (6) GDPR) infringements, whereby the substantive infringements naturally weigh more heavily.
This final daily rate can then be adjusted on different circumstances not yet taken into account. These include, in particular, all circumstances under Art. 83 (2) GDPR as well as other circumstances, such as a long duration of the proceedings or an imminent insolvency of the company.
The final step is also to ensure that the fine imposed does not exceed the maximum amounts of 2 or 4 percent of the annual turnover or 10 million/20 million euros.
Higher fines to be expected
The concept implemented by the DSK is based explicitly on the German Bundeskartellamt guidelines of fines, which are also based on the company´s turnover.
It is certain that the application of the concept will lead to higher fines for companies domiciled in Germany in the future. Fines in the millions will probably also be imposed here. Especially for companies with high turnover, the risk of fines will increase enormously.
It is questionable whether the expected fines are still appropriate and proportionate, as provided for in Art. 83 (1) GDPR.
This is doubtful, as the concept is primarily based on the turnover of the companies while, for example, the factor of guilt is only used to correct the calculated fine.
This means that large companies will have to pay high fines, even for minimal infringements, because the basic economic value determined for them and thus the calculated daily rate is already very high.
It is also unclear how the Data Protection authorities will deal with companies that have no previous year´s turnover or are making loss.
Because of that data protection will be even more important for companies. Sooner or later, excessive fines will end up in the courts, which will then have to deal with the DSK fine concept – and perhaps adapt it.
In any case, they do not have to apply the concept: it has already been decided with regard to the Bundeskartellamt’s guidelines on fines that they are not binding on courts. Rather, it is the independent task of the courts to decide how to exploit the legal framework for fines of the GDPR.